chipsalliance / caliptra-sw

Caliptra software (ROM, FMC, runtime firmware), and libraries/tools needed to build and test
Apache License 2.0
94 stars 44 forks source link

Propose hybrid (LMS + ECDSA) signing for FMC and Runtime #19

Closed jhand2 closed 1 year ago

jhand2 commented 1 year ago

One goal of Caliptra is to provide a firmware signing scheme for defending against attacks from quantum computers. Currently, only stateful PQC signing algorithms are approved by NIST. Caliptra has chosen to use LMS for firmware signing. Caliptra also supports ECDSA P-384 signing schemes. We need to decide which of these verification schemes will be used in which cases.

Proposal

I propose that Caliptra should support multiple possible modes of signature verification.

Why

Key Manifest Changes

The key manifest may contain all of

Assuming P-384 ECDSA keys and SHA384 LMS keys, at most, this adds 192 bytes compared to only-ECDSA or only-LMS.

This manifest is:

Firmware image changes

A firmware image header may contain all of

In this case, LMS signatures are much larger than ECC signatures. The overhead of including both (instead of just LMS) is minimal.

Modes

Which signatures are enforced by ROM needs to be configurable because LMS signers may not be ready until after tape-out. A public key in can be included in the fused manifest, but LMS signatures may not be available to sign images until some later time.

Note: If a manufacturer ever wants to support hybrid signing, both the ECDSA and LMS public keys must be present in the fused manifest at tape-out.

I propose a single configuration fuse bit:

If fuse is 0, use Mode 1 If fuse is 1, use Mode 2

Notably, once Caliptra is fused to do LMS verification, it cannot be fused to stop doing LMS.

Mode 1: ECDSA-only

Mode 2: Hybrid signing

Bryankel commented 1 year ago

Maybe 2 fuse bits are required. I think you need a mode 3, LMS-only.

In a device where boot time is critical, you'll probably want 1 signature. It is not sufficient to choose ECDSA, as the vendor might want to CNSA 2.0 compliant.

I think at most 3 modes need to be supported. ECDSA, LMS, both.

Making the positive polarity the stronger strength to be more restrictive.

jhand2 commented 1 year ago

I originally had 2 fuse bits, but we discussed in the call that folks were concerned about having complicated state transitions.

The feedback from the group was that cycles required for LMS verification would be significantly higher than ECDSA, so the difference in still doing ECDSA would be negligible. Eric recommended we get some timing numbers to be more sure about this.

But if we can settle on a configuration we're all happy with that supports 3 modes, I would also be cool with that. Here's the proposal I originally had:

Bit 0 Bit 1 Mode
0 0 Mode 1
1 0 Mode 2
1 1 Mode 3

This allows the following progressions:

Notably, once Caliptra is fused to do LMS verification, it cannot be fused to stop doing LMS

Mode 1: ECDSA-only

Mode 2: LMS-only

Mode 3: Hybrid signing

varuns-nvidia commented 1 year ago

I think the next step here is to quantify the performance impact and then decide whether Mode 2 support is a requirement. @ericeilertson is gathering performance numbers.

ericeilertson commented 1 year ago

A simulation was run using a test vector from RFC8554. The parameters for this were run were SHA256, W=8, and H=5. This took 66,293,662 cycles. If we assume 450 Mhz, these parameters mean 147 milliseconds to verify.

The proposed hash algorithm for Caliptra is SHA256/192 which would reduce the amount of work by 25%. Using a w=4 would reduce the number of hashes by 8x.

If we assume those two scaling factors this would imply 6.2 million cycles to verify. At 450 Mhz, this would be 13.8 milliseconds.

This was a first run to get an order of magnitude for runtime. Vishal Soni and I have identified a few ways to improve the efficiency of the code generated. I hope to get these changes in and a run with the proposed parameters early next week.

varuns-nvidia commented 1 year ago

With regard to timing requirements, our assumptions are that the only Caliptra 1.0 integrating devices with hard firmware boot KPIs are PCIe/CXL endpoint devices. These devices face the following requirements:

What does this mean: Devices may require firmware to enter the Detect state. Because that firmware's measurements must be captured by Caliptra, Caliptra is in the critical path for PCIe link up from a Fundamental Reset. The relevant Caliptra critical path is boot from power-good reset, since the Caliptra warm reset boot flow does not authenticate firmware or derive keys.

A PCIe/CXL endpoint integrating Caliptra may choose to map Caliptra's power-good reset to either power-good detection or to PCIe Cold Reset (Fundamental Reset following the application of power). If mapping to power-good, then the device has 100+100 or 100+20 milliseconds to enter Detect state depending on its max link speed. If mapping to PCIe Cold Reset, then the Tpvperl window does not apply and so the critical path is reduced to 100 or 20 milliseconds.

The worst case integration then is 20 milliseconds to boot Caliptra and PCIe link training firmware, and the best case integration is 200+ milliseconds.

The Caliptra spec says the the following for scope and priorities:

The silicon iRoT scope includes all datacenter-focused server class SoC / ASIC (datacenter focused) devices (SSD - DC, NIC, CPU, GPU - DC):

Critical priority are devices with the ability to handle user plain text data
    Top priority are CPU SoCs
    Other examples include SmartNIC and accelerators
Over time scope includes further data center devices
    SSD, HDD, BMC, DIMM

For Caliptra 1.0, trying to solve for the worst case boot KPI while anticipating a quantum apocalypse is not the best use of our resources. Let's keep it simple (just Mode 1 + Mode 3) and strive to improve PQC authentication time in future Caliptra versions.

CC @bharatpillilli

varuns-nvidia commented 1 year ago

@jhand2 , my understanding is that ROM evaluates both Vendor and Owner signatures. Is that not the case?

jhand2 commented 1 year ago

@varuns-nvidia I'm not sure. I don't currently see anything in the spec says who is responsible for verifying the owner signature, so we'll probably want to write that down either way (I'm not strongly opinionated about who verifies the owner signature).

bluegate010 commented 1 year ago

The PoR is yes, ROM evaluates both sigs, as ROM mixes the owner pub key hash into the FMC alias key + cert.

vsonims commented 1 year ago

ROM will do Manufacturer + Owner verification of firmware header. That is the current POR.